Dear Hacker
By Stephen Trout, , HIPAA Blog, Resources, Security

On the off-chance that you might pause from your dark and painful activities to read this, I’d like to offer you some hope.

First, I imagine what you do must be exhausting. It’s a familiar adage, oft-repeated: “Spend your life looking over your shoulder, and you’ll miss what’s right in front of you.” 

On the other hand, a look at the past can be valuable, for “Those who cannot remember the past are condemned to repeat it.” – George Santayana 

I guess what I’m saying is that learning from the past – exploring the tragedies and false hopes that might be shaping us – is different from living in the past; what we learn might even change (or save) a life.

But how does this apply to cybercrime?” you might ask

I know, the impact of your activities might not matter much – unless you’re making a buck. We’re often not moved by tragedy until it hits home – until it’s our own mother, or sister, or brother, or father.

But when a cyber-attack can take emergency health services and systems offline, steal or encrypt sensitive health data, and cause instruments to dangerously malfunction, real lives, businesses, and reputations are at stake.  

And not just any lives, as I said. The next time, it might be someone you love who needs emergency care. Hopefully, they’ll be able to get it.

That’s why even a glance at your recent past helps us see how these malicious attacks negatively impact health, and even hasten death. 

(And after what’s been called the worst year ever for healthcare data breaches – while people are already struggling from a pandemic – maybe it’s high time).   

For starters, it can help us see (put flesh on) who is actually impacted. In addition to our family members, it’s often hard-working entrepreneurs and struggling businesses that suffer (small-to-midsize businesses (SMBs)) – because you’ve made the following choices:

  1. Size matters… not. 

While attacks on larger healthcare organizations have tended to garner the most press, the especially vulnerable sector is the smaller and mid-sized healthcare practices.

Here’s an eye-opening fact, reported by cybersecurity magazine: last year (2021), 61% of SMBs reported at least one cyber attack.  

Also of note: the attacks against SMBs continue to comprise almost half (43%) of all breaches.

We’ll see why in a moment; but for now, these businesses shouldn’t think that because they’re not a major health system they don’t have a target on them. 

I know your reasoning: you believe that all a hacker needs is a few small business breaches to score a considerable payoff.

Yet you may not consider how you can possibly steal someone’s livelihood and ability to feed their children or provide healthcare to someone you know (see Wood Ranch Medical). 

So, you continue to indiscriminately attack healthcare organizations of any and every size – especially SMBs that are easy prey. 

  1. You continue to prey on the vulnerable.  

I’m sure you know that over half (52%) of SMBs have no IT security expert in-house. Perhaps you also know that 43% of SMBs don’t even have a basic cybersecurity plan in place. 

These facts tell a sobering story – one which often ends badly for SMBs. (If they’re reading this, they should take note: they remain vulnerable due to a serious lack of cybersecurity readiness).

Why might this be? 

Besides believing that they’re not really a target, many new and smaller healthcare practices assume that their budget requires them to settle for less security. 

Thinking they have no other recourse, these SMBs end up depending on “homemade” solutions (better routers, etc.) when it’s actually possible – and necessary – to have more.

They tend not to implement advanced access controls, or use two-factor authentication – which alone can block up to 99.9 percent of compromise attacks, according to studies by Microsoft.   

  1. The outcomes can be devastating.

With the above statistics, is it any surprise that 83% of SMBs aren’t financially prepared to recover from a cyber attack? 

Starting with at least eight hours of downtime for severe cyber attacks (a major cost in the overall breach), many SMBs are unable to recover – especially since 91% have no cyber liability insurance.

We’ve seen how Wood Ranch Medical and others have been impacted. For those unprepared, one cyber attack can spell disaster. 

Even for those who may not be forced out of business, ramifications can include significant fines for HIPAA violations (failing to protect data), patient lawsuits, and legal costs. 

Now is the Time to Act

A look back can indeed be instructive; now it’s time to look forward and apply what we’ve learned. Doing so just might save a life or someone’s business.

We understand that SMBs have limited funds. It’s why HIPAA Vault offers low-cost, enterprise-level security for all our hosting plans, with fully managed services – all at one, convenient and affordable monthly cost.  

In the meantime, here are five practical steps these SMBs can take now that won’t break the bank:

  1. Improving your cybersecurity awareness now. Insist on regular cybersecurity education for all employees, and avoid the “weakest link” possibility. Include training on social engineering ploys and phishing. 
  1. Keeping your systems updated, including all software, applications, and OSes. Make sure your security software is fully patched and up-to-date, including antivirus and firewalls. 
  1. Insisting on strong password policies (use a password manager to help). Multi-factor authentication is also a must. 
  1. Purchase cyber liability insurance.
  1. Talk to HIPAA Vault. We’ll take the burden of protecting your data off your back.

A final word to the hacker. I’m a firm believer that no one is beyond redemption. But it does require you to step out from your Hall of Shame, and embrace something better: a life without guilt, without looking over your shoulder all the time.

And for the SMBs – know that our goal in all this is to help you care for your patients and grow your business, so that in the coming year, you can look back – and ahead – with confidence. 

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Contact us at 760–290–3460 or www.hipaavault.com.

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.